Common Architecture Label IPv6 Security Option (CALIPSO)
draft-stjohns-sipso-11
Revision differences
Document history
Date | Rev. | By | Action |
---|---|---|---|
2012-08-22
|
11 | (System) | post-migration administrative database adjustment to the No Objection position for Pasi Eronen |
2012-08-22
|
11 | (System) | post-migration administrative database adjustment to the Abstain position for Jari Arkko |
2012-08-22
|
11 | (System) | post-migration administrative database adjustment to the No Objection position for Magnus Westerlund |
2012-08-22
|
11 | (System) | post-migration administrative database adjustment to the Abstain position for Lars Eggert |
2012-08-22
|
11 | (System) | post-migration administrative database adjustment to the No Objection position for Russ Housley |
2012-08-22
|
11 | (System) | post-migration administrative database adjustment to the Abstain position for Ronald Bonica |
2009-04-24
|
11 | (System) | IANA Action state changed to RFC-Ed-Ack from Waiting on RFC Editor |
2009-04-24
|
11 | (System) | IANA Action state changed to Waiting on RFC Editor from In Progress |
2009-04-24
|
11 | (System) | IANA Action state changed to In Progress from Waiting on Authors |
2009-04-24
|
11 | (System) | IANA Action state changed to Waiting on Authors from In Progress |
2009-04-24
|
11 | (System) | IANA Action state changed to In Progress |
2009-04-24
|
11 | Cindy Morgan | State Changes to RFC Ed Queue from Approved-announcement sent by Cindy Morgan |
2009-04-24
|
11 | Amy Vezza | IESG state changed to Approved-announcement sent |
2009-04-24
|
11 | Amy Vezza | IESG has approved the document |
2009-04-24
|
11 | Amy Vezza | Closed "Approve" ballot |
2009-04-21
|
11 | Jari Arkko | [Ballot Position Update] Position for Jari Arkko has been changed to Abstain from Discuss by Jari Arkko |
2009-03-25
|
11 | Lars Eggert | [Ballot Position Update] Position for Lars Eggert has been changed to Abstain from Discuss by Lars Eggert |
2009-03-06
|
11 | (System) | New version available: draft-stjohns-sipso-11.txt |
2009-03-05
|
11 | Ross Callon | [Ballot comment] To me it appears that existing L3VPN technology, while widely deployed and therefore also widely implemented, is really not a great fit for … [Ballot comment] To me it appears that existing L3VPN technology, while widely deployed and therefore also widely implemented, is really not a great fit for the problem that this document is trying to solve. To a large extent L3VPNs rely on the service providers to correctly configure which sites go into which VPNs. This is great for L3VPNs (relieving private networks of significant effort), but seems wrong for what this document is doing. This is part of my motivation for entering a "no objection" vote. |
2009-03-05
|
11 | Ross Callon | [Ballot Position Update] New position, No Objection, has been recorded by Ross Callon |
2009-03-04
|
11 | Pasi Eronen | [Ballot Position Update] Position for Pasi Eronen has been changed to No Objection from Discuss by Pasi Eronen |
2009-03-03
|
10 | (System) | New version available: draft-stjohns-sipso-10.txt |
2009-03-02
|
09 | (System) | New version available: draft-stjohns-sipso-09.txt |
2009-02-20
|
08 | (System) | New version available: draft-stjohns-sipso-08.txt |
2009-02-19
|
11 | Ron Bonica | [Ballot Position Update] Position for Ron Bonica has been changed to Abstain from Discuss by Ron Bonica |
2009-02-19
|
11 | Chris Newman | [Ballot Position Update] Position for Chris Newman has been changed to Yes from No Objection by Chris Newman |
2009-02-19
|
11 | Chris Newman | [Ballot comment] The additional comments in -07 have improved this document to the level where I feel comfortable voting yes on this proposal. |
2009-02-19
|
11 | Russ Housley | [Ballot Position Update] Position for Russ Housley has been changed to No Objection from Discuss by Russ Housley |
2009-02-19
|
11 | Tim Polk | Intended Status has been changed to Informational from Proposed Standard |
2009-02-19
|
11 | Cullen Jennings | Intended Status has been changed to Proposed Standard from Informational |
2009-02-19
|
11 | Cullen Jennings | Intended Status has been changed to Informational from Proposed Standard |
2009-02-13
|
07 | (System) | New version available: draft-stjohns-sipso-07.txt |
2009-01-30
|
11 | Amy Vezza | State Change Notice email list have been change to rja@extremenetworks.com, mstjohns@comcast.net, draft-stjohns-sipso@tools.ietf.org from rja@extremenetworks.com, Mike.StJohns@nominum.com, draft-stjohns-sipso@tools.ietf.org |
2009-01-30
|
11 | Amy Vezza | State Changes to IESG Evaluation::AD Followup from Waiting for AD Go-Ahead by Amy Vezza |
2009-01-30
|
11 | (System) | Removed from agenda for telechat - 2009-01-29 |
2009-01-29
|
11 | Magnus Westerlund | [Ballot Position Update] Position for Magnus Westerlund has been changed to No Objection from Discuss by Magnus Westerlund |
2009-01-29
|
11 | Dan Romascanu | [Ballot comment] I support the issues raised in the DISCUSSes of ROn and Lars. |
2009-01-29
|
11 | Jari Arkko | [Ballot discuss] The IPv6 community has discussed the topic of hop-by-hop options in general, and in this case there has no been no discussions about … [Ballot discuss] The IPv6 community has discussed the topic of hop-by-hop options in general, and in this case there has no been no discussions about this specific proposal in the 6MAN WG. This should be a requirement for moving forward. I also share the same general concerns others have on this document. |
2009-01-29
|
11 | Jari Arkko | [Ballot Position Update] New position, Discuss, has been recorded by Jari Arkko |
2009-01-29
|
11 | Magnus Westerlund | [Ballot discuss] What are the rules for providing IPv6 Options? I can't find anything specifying the rules. Could they just send in a registration request … [Ballot discuss] What are the rules for providing IPv6 Options? I can't find anything specifying the rules. Could they just send in a registration request and not publish the document? I don't understand how IANA evaluates request when there are no rules. I would like the IESG to discuss this issue. |
2009-01-29
|
11 | Magnus Westerlund | [Ballot Position Update] New position, Discuss, has been recorded by Magnus Westerlund |
2009-01-29
|
11 | Pasi Eronen | [Ballot discuss] I support Lars's and Ron's discusses. From the discussion so far, I also get the impression that we might not have IETF Consensus … [Ballot discuss] I support Lars's and Ron's discusses. From the discussion so far, I also get the impression that we might not have IETF Consensus for the approach proposed in this document. Adding to Lars's concern about transport protocols: In this draft, there can be multiple simultaneous TCP connections with the same five-tuple (proto, src, dst, src port, dst port). That probably means updating every middlebox in the network that uses the five-tuple for its state -- and possibly many protocols that use addresses/port numbers to identify connections (anything from RSVP to SDP to ICE to BGP flow specs to RADIUS NAS-Filter-Rule attributes). That sounds bad. |
2009-01-29
|
11 | Pasi Eronen | [Ballot Position Update] New position, Discuss, has been recorded by Pasi Eronen |
2009-01-29
|
11 | Lars Eggert | [Ballot discuss] I'll shortly summarize my points from the discussion in Minneapolis. First, I believe that creating IP options (esp. a hop-by-hop options) for walled-gardens … [Ballot discuss] I'll shortly summarize my points from the discussion in Minneapolis. First, I believe that creating IP options (esp. a hop-by-hop options) for walled-gardens is inappropriate. We've been pushing back when other SDOs wanted to do this. I see no reason why this case is different. A second concern is that this proposal resurrects historic IPv4 technology for IPv6, when we have better protocol mechanisms available that would address the same set of requirements (cf. Ron's comment on VPN). Third, this draft is not just asking for an IP option number. It changes many more pieces of the architecture, e.g., how applications interact with transport protocols. Finally, there was no serious attempt to engage the IETF community on their strong last call comments. Pretty much the only change was to move the document to Informational, which is essentially irrelevant, because what matters is that an IP option number will be allocated by an IESG approval. I'd like to discuss these issues on the call, to see if I'm on the rough side of the consensus here. I'll move to an abstain afterwards. |
2009-01-29
|
11 | Lars Eggert | [Ballot Position Update] New position, Discuss, has been recorded by Lars Eggert |
2009-01-28
|
11 | Chris Newman | [Ballot Position Update] New position, No Objection, has been recorded by Chris Newman |
2009-01-28
|
11 | Russ Housley | [Ballot discuss] The Gen-ART Review by Elwyn Davies was posted on 28-Jan-2009. The IANA related comment must be addressed before the document can be … [Ballot discuss] The Gen-ART Review by Elwyn Davies was posted on 28-Jan-2009. The IANA related comment must be addressed before the document can be approved. The other comments deserve consideration as well. s9.2: The authors have requested IESG assistance with the IANA considerations section. The section does not currently have a well defined allocation policy (it is sort of FCFS with expert review on the side). |
2009-01-28
|
11 | Russ Housley | [Ballot Position Update] New position, Discuss, has been recorded by Russ Housley |
2009-01-27
|
11 | Ron Bonica | [Ballot discuss] Could you explain why the problem that you are solving can't be addressed with any of the existing VPN technologies (e.g. L3VPN). |
2009-01-27
|
11 | Ron Bonica | [Ballot discuss] Could you explain why the problem that you are solving can't be addressed with any of the existing VPN technologies (e.g. L3VPN). |
2009-01-27
|
11 | Ron Bonica | [Ballot Position Update] New position, Discuss, has been recorded by Ron Bonica |
2009-01-23
|
11 | Sam Weiler | Request for Telechat review by SECDIR is assigned to Sam Hartman |
2009-01-23
|
11 | Sam Weiler | Request for Telechat review by SECDIR is assigned to Sam Hartman |
2009-01-22
|
11 | Tim Polk | [Ballot Position Update] New position, Yes, has been recorded for Tim Polk |
2009-01-22
|
11 | Tim Polk | Ballot has been issued by Tim Polk |
2009-01-22
|
11 | Tim Polk | Created "Approve" ballot |
2009-01-22
|
11 | Tim Polk | Placed on agenda for telechat - 2009-01-29 by Tim Polk |
2008-12-02
|
06 | (System) | New version available: draft-stjohns-sipso-06.txt |
2008-10-23
|
11 | (System) | State has been changed to Waiting for AD Go-Ahead from In Last Call by system |
2008-10-17
|
11 | Amanda Baber | IANA Last Call comments: IESG Note: Expert Assignment Required for Action 2. Action 1 (Section 9.1): Upon approval of this document, the IANA will make … IANA Last Call comments: IESG Note: Expert Assignment Required for Action 2. Action 1 (Section 9.1): Upon approval of this document, the IANA will make the following assignments in the "Internet Protocol Version 6 (IPv6) Parameters" registry located at http://www.iana.org/assignments/ipv6-parameters sub-registry "5.b. Options Types" HEX act chg rest --- --- --- ----- [TBD] 00 0 [TBD] CALIPSO [RFC-stjohns-sipso-05] Action 2 (Section 9.1): Upon approval of this document, the IANA will create the registry "CALIPSO DOI Values" at http://www.iana.org/assignments/TBD Registration Procedures: DOI Value Organisation or Use ======================= ============================ 0:0:0:0 Null DOI; MUST NOT be used on any network at any time. 0:0:0:1 to 0:255:255:255 For private use among consenting parties within private networks; for reasons of interoperability, these DOI values MUST NOT ever appear on the global public Internet. 1:0:0:0 to 254:255:255:255 For assignment by IANA to organisations following the guidelines in the paragraph below. 255:0:0:0 to 255:0:0:0 Reserved to the IETF for future use by possible revisions of this specification. For the CALIPSO DOI values registry, IANA is requested to issue a new DOI value to any organisation that requests it. Any assignments made will be publicly available from the IANA website. DOI values beginning with decimcal 0:0:0 are reserved for private use amongst consenting parties; values in this range will not be allocated by IANA to any particular user or user community. For reasons of interoperability, these DOI values MUST NOT ever appear on the global public Internet. A commercial organisation will normally only be assigned at most two DOI values. A single national government or multi-national treaty organisation (e.g. NATO, UN) normally may be assigned up to 10 CALIPSO DOI values, if that is requested. If a given national government has NOT requested a set of national values, then different government departments (e.g. Ministry of Defence, Department of Energy, Department of Homeland Security) or different states/provinces (e.g. Queensland, New South Wales) within that given national government each normally may independently request up to 2 different CALIPSO DOI values. DOI values beginning with decimal 255 are reserved to the IETF for use in future versions of this specification. IESG approval is required for allocation of DOI values within that range. With respect to delegation in unclear circumstances, IANA may ask the IESG to appoint "Designated Experts" to provide advice. Initial contents of this registry will be: DOI Value Organization or Use Reference --------- ------------------- --------- We understand the above to be the only IANA Actions for this document. |
2008-10-03
|
11 | Sam Weiler | Request for Last Call review by SECDIR Completed. Reviewer: Sam Hartman. |
2008-09-26
|
11 | Sam Weiler | Request for Last Call review by SECDIR is assigned to Sam Hartman |
2008-09-26
|
11 | Sam Weiler | Request for Last Call review by SECDIR is assigned to Sam Hartman |
2008-09-25
|
11 | Cindy Morgan | Last call sent |
2008-09-25
|
11 | Cindy Morgan | State Changes to In Last Call from Last Call Requested by Cindy Morgan |
2008-09-25
|
11 | Tim Polk | State Changes to Last Call Requested from Publication Requested by Tim Polk |
2008-09-25
|
11 | Tim Polk | Last Call was requested by Tim Polk |
2008-09-25
|
11 | (System) | Ballot writeup text was added |
2008-09-25
|
11 | (System) | Last call text was added |
2008-09-25
|
11 | (System) | Ballot approval text was added |
2008-09-25
|
11 | Tim Polk | Area acronymn has been changed to sec from gen |
2008-09-25
|
11 | Tim Polk | Intended Status has been changed to Proposed Standard from None |
2008-09-11
|
11 | Tim Polk | State Changes to Publication Requested from AD is watching by Tim Polk |
2008-09-11
|
11 | Tim Polk | Summary of draft-stjohns-sipso-05.txt; Submitted on 11 September 2008. 1A> Who is the Document Shepherd ? Randall Atkinson, who is also the active document … Summary of draft-stjohns-sipso-05.txt; Submitted on 11 September 2008. 1A> Who is the Document Shepherd ? Randall Atkinson, who is also the active document editor. 1A> Has the document Shepherd personally reviewed this version of the document and, in particular does s/he believe this version is ready for forwarding to the IESG for publication ? Yes. Yes. 1B> Has the document had adequate review both from key WG members and from key non-WG members ? There is no related WG. The document has had extensive review by both implementers and users. There are no known unresolved issues. 1B> Does the Document Shepherd have concerns about the depth or breadth of the reviews that have been performed ? No. 1C> Does the document shepherd have concerns that the document needs more review from a particular or broader perspective ? No. 1D> Does the document shepherd have any specific concerns or issues with this document that the Responsible AD or IESG should be aware of ? No. 1E> How solid is the WG consensus behind this document ? This is an individual submission, not a WG document. The document shepherd believes that among the reviewers there is clear consensus that this document is adequate. 1F> Has anyone threatened an appeal or otherwise indicated extreme discontent ? No. 1G> Has the document shepherd personally verified that the document satisfies all I-D Nits ? Yes. The document does not have an "intended status" text because that is a decision for the Sponsoring AD and IESG as a whole. 1H> Has the document split references into Normative and Informative subsections ? Yes. 1H> Are there normative references to documents that are in an unclear state or otherwise not ready for advancement ? No. 1H> Are there normative references that are downward references ? No. 1I> Has the document shepherd verified that the document's IANA Considerations section exists and is consistent with the body of the document ? Yes. Yes. The IANA Considerations was last revised following guidance from the sponsoring AD (Tim Polk). 1I> Are the IANA registries clearly identified ? Yes. 1I> If the document creates a new registry, does it define the proposed initial contents and an allocation procedure ? Yes. 1I> Does it suggest a reasonable name for the new registry ? Yes. 1I> If the document describes an expert review process, has shepherd conferred with the responsible AD so the IESG can appoint the needed expert during the IESG evaluation ? Yes. Proposal is for Ran Atkinson to be the primary designated expert for questionable cases, with Mike StJohns as the designated backup expert. 1J> Has the document shepherd verified that sections of the document specified in a formal language validate correctly ? Not applicable. 1K> Please provide a Document Announcement Write-Up. Please see bottom. 1K> Are there any existing implementations of this protocol ? No. Several vendors have indicated interest in implementing this option as part of their mandatory access control features for hosts or routers. It is believed likely that at least one open source operating system will implement this specification. At least one router implementer has evaluated implementing support for this option in silicon, and is satisfied that this would be practical to do. Technical Summary This document defines a new IPv6 Hop-by-Hop Option that will be used narrowly within multi-level secure network deployments. This option is used to enable mandatory access controls (e.g. to prevent a MOST SECRET packet from being forwarded out an UNCLASSIFIED interface). This option is related to prior IPv4 work in the same area, specifically RFC-1038, RFC-1108 (IPSO), and FIPS-188 (CIPSO). Those IPv4 options are deployed by many countries and several financial institutions to provide mandatory access controls for IPv4 packets. These IPv4 options are supported in some current commercial products. For example, Cisco IOS, Sun Trusted Solaris, and SE-Linux support RFC-1108; Sun Trusted Solaris, SGI IRIX, and SE-Linux also support FIPS-188. This must be an IPv6 Hop-by-Hop option because routers that have been enhanced to recognise this option are a critical point where mandatory access controls are applied. Because this option should never appear on the public global Internet, and because the option is part of a scheme for mandatory access controls, this option ought not create a denial-of-service issue for routers in the global Internet. Working Group Summary This document is an individual submission, not the product of an IETF working group. The document has been reviewed extensively by implementers at several different firms. It also has been reviewed by users at multiple operational sites in multiple countries and organisations. Document Quality This document is acceptable to the reviewers that have provided input to the document. No concerns about clarity have been received by the document editor or document shepherd. This specification is much more detailed than the previous IPv4 label option specifications were. Personnel Randall Atkinson is the document shepherd, and is also the active document editor. Tim Polk is the sponsoring Area Director. EOF |
2008-08-25
|
05 | (System) | New version available: draft-stjohns-sipso-05.txt |
2008-08-22
|
11 | Tim Polk | State Change Notice email list have been change to rja@extremenetworks.com, Mike.StJohns@nominum.com, draft-stjohns-sipso@tools.ietf.org from Mike.StJohns@nominum.com, draft-stjohns-sipso@tools.ietf.org |
2008-08-22
|
11 | Tim Polk | Draft Added by Tim Polk in state AD is watching |
2008-07-07
|
04 | (System) | New version available: draft-stjohns-sipso-04.txt |
2008-05-22
|
03 | (System) | New version available: draft-stjohns-sipso-03.txt |
2007-11-14
|
02 | (System) | New version available: draft-stjohns-sipso-02.txt |
2007-04-11
|
01 | (System) | New version available: draft-stjohns-sipso-01.txt |
2007-02-16
|
00 | (System) | New version available: draft-stjohns-sipso-00.txt |